Does your grid need to prepare for GDPR?

This May, a major new regulation goes into effect — the European General Data Protection Regulation, or GDPR. It affects any company anywhere in the world that collects data on Europeans. And yes, that includes emails and IP addresses, and there’s no minimum company size required. If you’re an organized grid, whether commercial or non-profit, you have to comply. If you don’t, fines can go as high as 20 million Euros, or 4 percent of annual revenues — whichever is bigger.

To comply, companies have to put processes in place to protect data, notify authorities immediately if the data is breached, and allow their customers to be able to delete that data if they want.

(Image courtesy Avalonia Estate.)

Large grids that have invested a lot of time and money in their operations need to get their houses in order right now. And anyone who uses an outside hosting company for their grids needs to make sure that the hosting company is on top of things.

“One way to get around GDPR would be not to register with real life identities then it is no longer personal information,” Avalonia Estate owner Justin Ireman told Hypergrid Business. “Or grids will need to specifically exclude EU citizens from being customers, blocking European IPs for instance.”

(Ireman insists he is not an expert and not a lawyer and so his views are his opinions and interpretations of this complex law only so each reader should cross check.)

How are the grids preparing?

I tried to contact all the major grid owners, and only a few got back to me about whether they’re ready for GDPR or not.

For instance, Kitely has already taken some steps to comply with GDPR and will be in full compliance once the regulations come into effect, Kitely CEO Ilan Tochner told Hypergrid Business.

Ilan Tochner

“We’ve already developed some of the capabilities we’ll need for supporting the right to be forgotten as specified in the GDPR,” he said. “Most of the upcoming technical changes will be in our back-end and how we handle user data.”

Kitely is currently the largest commercial grid by land area, according to the latest stats, and one of the top ten grids by traffic numbers. It also runs the Kitely Market, which delivers to more than 200 other grids. So there’s a lot of information there that they collect about their customers — and a lot at stake if they don’t get up to speed.

Take for example, the question of protecting the data.

That doesn’t just mean encrypting everything. Grids also have to be careful bout how they store the passwords to unlock that data.

Kitely Welcome Center. (Snapshot by Maria Korolov.)

“It’s important to ensure that the keys used to access them aren’t just stored in plain text on the same storage device,” said Tochner. “Otherwise the database table encryption won’t be worth much when confronted with a knowledgeable hacker.”

And everything has to be done in such a way so it doesn’t interfere with operations.

“We’ll aim to minimize the amount of user-visible changes so as not to reduce the functionality our services provide,” he said.

Are the vendors ready?

For some grid owners, the new regulation is yet another reason to use outside services for as much as possible, and just stick to what they do best — community building, content, events, support, and marketing.

“Any external vendor you use that has access to your users’ personal information should be GDPR compliant or your service can’t be GDPR compliant as well,” said Tochner.

For example, many grids have recently began using the Gloebit virtual currency platform, which offers a single, hypergrid-enabled currency that can be used on any participating grid.

Christopher Colosi

Gloebit itself uses third-party services to handle most of the payment information it gets from its users.

“And anything that we consider personally identifiable information, we encrypt in our databases so that if any malicious actor ever did manage to copy some user rows, they wouldn’t get any information on any user,” Gloebit CEO Christopher Colosi told Hypergrid Business.

Full details of how GDPR will be enforced and how it will affect OpenSim companies are yet to come.

“Hopefully the regulation is written so that complying is not overly onerous for small businesses,” he added.

The grid is already up to speed when it comes to communicating with users about how their data is used and if there’s a breach.

“We inform our customers about any issues affecting them as soon as possible,” he said. “Beside this, we did already document our operational tasks in a log book to have a data source to constantly improve our operational processes.”

How big a problem is this?

Will the European Union really go after a tiny virtual world for minor non-compliance issues?

“Probably not, but all it would take would be one disgruntled grid user not happy with a grid for failing to protect the data or not allowing the user access to their personal data, including the right to be forgotten, and a report could be made to the authorities,” said Avalonia Estate’s Ireman. “So who knows.”

Even non-commercial and not-for-profit grids will also need to comply for as long as they process personal information and allow for sign ups with real identities.

“Again a best guess, as the GDPR applies to charities and other non-profit making organizations just as much as to commercial businesses this would apply to non-profits such as OSGrid as it allows sign-ups from EU citizens,” he said. “In fact the regulation makes clear it doesn’t matter if the goods or services are provided for a fee or free of charge.”

If your grid isn’t prepared, it’s not alone.

Only 21 percent of IT professionals and executives say they have a good understanding of what GDPR means in practice and only 18 said they understood what data their company has and where it lives, according to a recent survey by Commvault, a data backup, protection, recovery and management provider who also helps companies prepare for compliance ahead of GDPR coming to effect,

“It is highly likely that we will see a number of high profile organizations hitting the headlines for contravening GDPR soon after it comes into effect next May, mainly due to a lack of understanding of the data they hold and its relationship to GDPR,” said Nigel Tozer, solutions director at Commvault.

Are UUIDs personally identifiable information?

A UUID — the unique number assigned to each OpenSim avatar — may be classified as personal data if it can be used to identify a real person.

“Under the GDPR, personal information isn’t just phone numbers, names and addresses,” said Ireman. “It can be any information that can lead back to the real identity of an EU citizen. UUID numbers of avatars that are tied to real identities at grids will now be considered personal information. The scope of this is truly massive.”

And it’s not just customer information that has to be protected. So does information about employees, volunteers, and donors.

Grids that are hobby grids, used by just the grid owner and their friends, will most likely be exempt. That is one way of ensuring the grid does not fall under that jurisdiction.

These grids don’t offer any goods or services to the general public, and make no effort to collect and analyse data about EU citizens.

Preparation for compliance

Here are some steps grids should take to prepare for the GDPR. They are generally good policies to follow in any case, however.

The firs step is to get real consent.

Make sure your users give their consent for you to collect information about them in an informed way. Pre-checked “I accept” boxes are not enough. And consent has to be granted again when the data is going to be collected or used in a new way.

The consent questions should be on the registration page in clear language and separate from the terms and privacy policy, according to Ireman.

Here’s one way to do this: “Given the nature of OpenSim, by using OpenSim and signing up with our grid you will be consenting to the collection and necessary processing of your data. Please click the tick box here to show your consent.”

“This sort of thing would meet the consent part of GDPR as far as I can see, said Ireman.

One thing which could be harder for grids to do is to create a system to allow customers to request and review the data that has been collected about them — and to delete that data if they want.

David Kariuki is a technology journalist who has a wide range of experience reporting about modern technology solutions. A graduate of Kenya's Moi University, he also writes for Cleanleap, and has previously worked for Resources Quarterly and Construction Review. Email him at [email protected].

7 Responses

Well, I’m actually more interested in seeing how Linden Lab will handle this, rather than the small OpenSim grids. At times this has been a major contention issue with the Lab where Europeans left in droves when the adult debacle started in 2009.

From the FAQ I particularly like

“The conditions for consent have been strengthened, as companies will no longer be able to utilise long illegible terms and conditions full of legalese, as the request for consent must be given in an intelligible and easily accessible form, with the purpose for data processing attached to that consent – meaning it must be unambiguous.”
– I can sense a lot of hand-wringing in the LL legal department!

Well to be fair and to make the distinction, I don’t think data portability here means “content”, as in Opensim content that you have purchased from grids, or in SL. Same with content such as movies or music that are protected by DRM you have purchased from a entertainment provider. Data portability will be in relation to your personal information.

So organisations must provide your data upon request so you can provide that to an alternative provider for example.

Sorry but don’t think you will be getting your inventories free from LL any time soon 😛

I also want to point out that I did ask David to make clear in the
article – which so far he hasn’t – that I am in no way an expert on
GDPR, nor am I a lawyer and so grids and other interested parties need to
do their own due diligence to see how GDPR affects them and what steps they need to take.

This is just another money hungry regulation by government hacks in order to control more and more …Regulation is bad in any type, kind. I do not care where it is from. This is ridiculous, More and more these socialist countries are trying to put a hold in what we call progress. I find disgusting and revolting. That is my opinion.

The worry here is the phrase “The firs step is to get real consent.” This is a dangerous assumption and in many cases is simply incorrect. In a surprising number of cases you do not need consent, and in fact should not request it. This sounds odd so let me explain. The key lies in Article 6 of the GRPR: “Processing shall be lawful only if and to the extent that at least one of the following applies: ” – ONE of the basis for processing is that of consent. It is ONE option for a legal basis for processing. However in my view it should only be used when no other basis can be used. Why do I say this? Consent can be withdrawn. It also has to be optional. The kicker to this is that it has to be without penalties. You cannot say for example: “Do you consent to us processing your data?” if you are unable to offer them your service without that consent. Again if someone withdraws that request – can you still fulful your contract with them? Withdrawing consent to processing their data can not lead to you saying “you cannot be a customer then”. Those actions would case the consent to be considered “Freely given” as it is a form of coercion. Because of this consent should only be used as a basis for processing if no other basis for processing can be used. In many cases, where there are no other bases for processing, you simply do not need to process that data – you just want to.

The alternative is to use one of the other basis for processing and in many cases this would be (b) “processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract; “. If processing the data is required to fulfil your contract – then you do not need to ask consent. The data subject can then Object (Article 21) to the processing – but providing your processing has a legal bases that you can present and defend – their objection doesn’t put you in breach. In many cases contractual obligations with the Data Subject are sufficient for processing essential data (required to do what they ask of you) and consent is just not needed removing the dangers of them withdrawing consent.

If someone withdraws consent then you have to stop processing their data – but you cannot terminate your contract with them based on that. If you do not stop processing their data you are in breach of the GDPR, if you turn round and say “We need to process this to filfil your contract” you are in breach of the GDPR because the consent was not “freely given”. If you turn around and say “well we cant fulfil our contract with you without that data” then you are in breach of the GDPR because that consent was not “freely given”. It is not “freely given” because contractual obligations were conditional on the consent – therefore you really had no choice.

TLDR; Never rely on consent for a legal basis to process data under GDPR unless you have to because no other legal basis is applicable. Main uses for consent should be for things like advertising.

Note: I am not a lawyer but I am responsible for the management of an education system in the UK at a large college and have had to look into this a lot lately.

This website uses cookies to improve your experience and to help us and our advertisers understand our audience so that we can grow the OpenSim ecosystem. More specifically, we use Google Analytics to see general information such as what countries people are coming from. We do not see any information at all about individual users. We also have Google AdSense set up. Here, Google might collect information about users in order to customize ads. You can change what information Google collects. Either way, here at Hypergrid Business, we don't see any of it. We also have Disqus set up for our comments system. Disqus only shows us information that you voluntarily share, We do not have any marketing email lists and we used to have a newsletter, a few years ago, but that has since been shut down and all information deleted. AcceptRejectRead More